Manufacturing Security Part 2: Lessons from the Financial Services Industry

The financial services industry is known for tight security. In spite of being an extremely attractive target for hackers, the industry accounted for only 12% of the total breaches worldwide, according to the 2014 Breach Level Index. Another study by the Identity Theft Resource Center shows that the banking, finance and credit industries accounted for only 5.5% of breaches in the United States.

Yet, it hasn’t always been this way; financial services was the first industry targeted by hackers, and has had some of the most costly breaches in history, including the 2008 Heartland Payment System Breach, which exposed 134 million credit cards. Nor are things perfect now, as the 2014 JP Morgan Chase mega breach shows. But privacy, disclosure and confidentiality best practices, backed up by a strict regulatory compliance environment have led to a dramatic curtailment of data leaks across the industry.

Manufacturing Security Need

Unfortunately, while banks were tightening security, manufacturers were falling behind. In conversation with manufacturing executives, I would hear alarming things. They would make comments like, “Yes, we have a cybersecurity budget, but I don’t know what to do with it.” When I would ask them if they had had breaches, they would tell me, “it’s a delicate area,” and then politely change the subject.

If banks were short-staffed, what chance did manufacturing security have? Most areas of manufacturing are not required to disclose breaches, so the industry’s security problems were not in the news much. Still, I could see the writing on the wall.

Resource Shortages

There has been a lot of talk about the information security shortage recently; the number of organizations with too few information security staff grew from 56% in 2013 to 62% by the end of 2014, and the industry is expected to be short 1.5 million workers by 2020. It is only one of many areas where IT supply has been falling behind demand for years.

While serving in the capacity of Security Operations Manager at Fidelity Information Services (FIS) I recognized that there needed to be a new model where organizations could collaborate with partners to provide a complete suite of enterprise-class IT administration and support. So instead of working with a skeleton security and compliance staff, banks could partner with specialist organizations that had the skills to provide all of their IT solutions. Based on this perceived need we started a service within FIS called Network Health Services. It was all encompassing — we would help banks with their technology, strategy and security.

Comprehensive Manufacturing Security

Having brought this experience now to Symmetry, we have developed the same concept of holistic IT and security managed services to bring to our customers in the manufacturing sector. Unpatched vulnerabilities are the biggest security risk, but many manufacturers simply do not keep their enterprise cloud up to date. We will make sure that your system is patched and optimized; eliminating the software holes hackers can use to get in. We will back that up with encryption and good password management and administration, to cut the risk of a breach, and mitigate possible damage.

However, it is Symmetry’s security team and the skilled resources we bring to bear that sets us apart from the competition. We use innovative technology like the Dell SecureWorks iSensor, backed up with 24/7 monitoring and threat response. Hackers usually have to spend a lot of time probing for vulnerabilities before they actually launch an attack. That leaves a trail of suspicious network activity, which our security team can use to track and neutralize them before they can access your system. The same technique allows us to quickly stop internal threats, such as computers infected by malware.

Finally, we will help you defend against the toughest security threat of all: carelessness. Clicking the wrong link or saving assets to the wrong device can leave your infrastructure and assets exposed. Our IT consulting services will help you evaluate the way you do business, and create a security culture that will keep your data safe, both on the job and off.

Lessons Learned

Security is not just a service or a piece of technology you can plug in (although both play an important role in it); it has to be part of everything your organization does. As the manufacturing industry works to catch up, many organizations are doing what banks did in the early days — putting in firewalls, antivirus software, and Intrusion Detection and Prevention Systems (IDPS), but not backing it up with 24/7/465 SOC monitoring.

That is not good enough. There are nearly 1 million malware threats created every day — far more than any antivirus program can cope with. In addition, there are phishing websites, unpatched bugs, botnets scanning for weaknesses and too many other threats to name. Manufacturers are particularly vulnerable because PLC security can be outdated. A hacker or malicious competitor could break in and sabotage your plant, causing significant damage on the factory floor, and putting your workers in danger.

The biggest lesson manufacturers need to learn is that no one can do security alone — it’s just too knowledge and resource intensive. Our international Cyber Security team depends on partners like Dell SecureWorks, along with national security organizations in several countries.

Our Security and Compliance depends on auditing for ISO, HIPAA, ISO/IEC 27001 and SSAE16 SOC 1 compliance, along with 24-hour monitoring. In addition, finally, it all rests on the security-consciousness and skill of our SAP-certified staff. With the combined expertise of all those individuals and organizations, we can keep our business partners truly safer in the cloud.

Good Security is Good Business

Hackers are opportunistic people who make a living exploiting the most vulnerable. Any information you leave unsecured — from cutting edge designs to your employee database — could attract their attention. Symmetry’s security and compliance team can protect your IT investment. When hackers go after easier targets, you will be running strong, and ready to come out ahead.

Scott Goolik is VP of Compliance and Security Services at Symmetry. A recognized expert in the field of SAP security and compliance, Scott has over 20 years of expertise in SAP security and is a regular presenter at SAP industry tradeshows and ASUG events. His experience includes working for one of the Big Four accounting firms and developing auditing tools, including those for segregation of duties (SOD). Scott is also responsible for architecting the ControlPanelGRC® solution which provides audit automation and acceleration of security and control processes.